Monday, May 15, 2017

Microsoft has a point

In the midst of the ongoing WannaCrypt attacks, Microsoft has issued an unusually strongly-worded warning to governments around the world to quit hoarding vulnerabilities.

The bug exploited by the attack was hoarded by the United States national security agency (NSA), leaked earlier this year and since patched by Microsoft – but patches aren't perfect, rollouts take time and WannaCrypt locked up a lot of machines in its first wave.

Microsoft is not pleased, and in this post, renews its call for a “Digital Geneva Convention”, and its long-standing demand that governments disclose vulnerabilities to vendors instead of stockpiling them.

“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” writes Brad Smith, Redmond president and legal boss.

Noting the “unintended but disconcerting” link between nation-state activity and criminal activity, Smith adds that governments need “to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits”. The “Digital Geneva Convention” Redmond recommends would therefore require governments “to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them”.

With the caveat that these exploits are generally the result of poor programming, partially because Bill Gates would rather farm the work out to idiots in Bangalore instead of paying his domestic coders a decent wage, and the "Digital Geneva Convention" was probably written to benefit Microsoft and not the civilized world, I otherwise agree.

Exploits are potential weapons of mass destruction, very much like Tomahawk missiles. When a hack gets out into the wild, it can at least cause millions of dollars of damage, and at most bring down worldwide communications and commerce: we've seen that happen in the past.

We're okay with the military having weapons of mass destruction, because we expect them to have the tools to effectively attack national enemies. But we also expect the military to damn well keep them under lock and key, and not just let some contractor walk out the door with them to sell them on the black market.

We do this with plutonium, sarin and anthrax, so let's also do this with hack tools.

Oh, as an aside: when we find out some Russian is making sarin in his kitchen, we kill him and then lock up everyone he's ever met. We also don't let him sell it on the darknet and take payment in Bitcoin.

I think governments will take this seriously, and I still think Bitcoin's days are numbered.